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SS/ basics 


SS7 (Signaling System No. 7) is a set of telephony protocols used to set up and tear down 
telephone calls, send and receive SMS messages, provide subscriber mobility, and more. 


> Fixed telephony 
> 2G/3G mobile networks 


> Interconnection with next- 


ze eneration networks 
ey Que _ 


2017 2018 2019 2020 2021 2022 2023 2024 2025 


@ GSMA Intelligence 2018, Mobile connections by technology 
https://www.gsmaintelligence.com/research/2018/02/infographic-mobile-connections-by-technology/656/ 


Now what can a Hacker do? 


Intercept private data, |... GG Take control of your 
calls and SMS messages - digital identity 

; : : — ET PA Any mobile 
Easily TIPP : . operator 


Get access to your 
email and social media 


Track location of VIPs 
and public figures 


From 


: No special 
anywhere : esente EN 


skills needed 


Perform massive denial NX : : 
of service attacks fo 2 2 D Tó Steal money 
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SS7 development 


Trusted environment. No security mechanisms in the protocol stack. 


SIGTRAN (SS7 over IP) introduced. Security is still missing. 


Scope grows 


Growing number of SS7 connections, increasing amount of SS7 traffic. 


No security policies or restrictions. 


Not trusted anymore 
Huge number of MNOs, MVNOs, and VAS providers. 


SS7 widely used, Diameter added and spreading. Still not enough security. 


Security 


a configuration 


Security assessment 


SS7 firewall SMS Home Routing Signaling IDS 


Basic nodes and identifiers 


MSISDN — Mobile Subscriber 
Integrated Services Digital Number 


GT — Global Title, address of a 
core node element 


IMSI — International 
Mobile Subscriber Identity 


STP — Signaling Transfer Point 


HLR — Home Location Register 


MSC/VLR — Mobile Switching 
Center and Visited Location 
Register 


SMS-C — SMS Centre 


SST protocol stack 


Mobile Application Part 
is payload that contains an operation code and appropriate parameters 
such as IMSI, profile information, and location data. 


Transaction Capabilities Application Part 
is responsible for transactions and dialogues processing. 


Signaling Connection Control Part 
is responsible for the routing of a signaling message by Global Titles. 


SST security means 


Signaling Transfer Point 
makes simple screening of signaling messages. 


SMS Home Routing 
is intended to prevent SMS fraud and hide IMSI identities. 


SS7 firewall 

is the most sophisticated signaling security tool that protects the 
network against a wide range of threats such as IMSI disclosure, 
location tracking, and traffic interception. 


Signaling Transfer Point 


> Signaling Transfer Point is a router that relays SS7 messages between 
signaling end-points and other signaling transfer points. 


> Usually the STP is a border point in a signaling network. 


> Itis possible to use the STP for the screening of the ineligible signaling 
traffic. 


> Screening rules of the most STPs are simple, for instance, blocking a 
signaling message by a source address or redirecting a signaling message 
by an operation code. 


> The STP looks through a signaling message layer by layer and applies a 
rule as soon as the first appropriate pattern is triggered. 


SMS delivery process 


SRIASM — SendRoutinglnfoForSM 


SMS-C 1. SRI4SM Request 

* MSISDN 

2. SRI4SM Response 
IMSI LE SESE E E] p 

e ¿MSC Address: 

m 

3. MT-SMS 

* IMSI 

e SMS Text 


1. SRI4SM Request 
* MSISDN 


2. SRI4SM Response 
* IMSI 
e MSC Address 


3. MT-SMS 
e IMSI 
e SMS Text 


SRI4SM abuse by a malefactor 


1. SRI4SM Request 1. SRI4SM Request 
* MSISDN * MSISDN 


—(———————————— PP » O - sÉm - -— - NM — "€ - -— M e e a 
mio 2. SRI4SM Response 2. SRI4SM Response 
* IMSI * IMSI 


mIEIJ - MSC Address - MSC Address 
<‘-—--------=------- A 


SMS Home Routinc 


1. SRI4SM Request 1. SRI4SM Request 4 SRI4SM Request 
BRISSCI J wsispn STP / - MSISDN K SMS Router +: MSISDN 
Me jet oo... > a aa ----1-------------» | LLL 
2. SRI4SM Response 2. SRI4SM Response & SRI4SM Response 
« Fake IMSI e FakeIMSI  * *: Real IMSI 
* SMS-R Address * SMS-R Address «= MSC Address 


= HO GOOD CSS li 
3. MT-SMS 3. MT-SMS : & MT-SMS 
* Fake IMSI * Fake IMSI ea Real IMSI 

ESTA a e E A p -pon 3 > 
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1. SRI4SM Request 
* MSISDN 


* Fake IMSI 
* SMS-R Address 
uo] 


HLR 
1. SRI4SM Request 
BIP 7 . usispn SMS Router we 
OTERO] peers é = 
2. SRI4SM Response 


e SMS-R Address 


SS/ firewall: blocking rules 


SS7 Message 


MAP | OpCode, IMSI, 


TCAP | Application Context 
SCCP | Source / Destination 


SS/ firewall 


Firewall rules 


Block a message by an operation 
code 


Block a message by an operation 
code and correlation of a source 
address and subscriber identity 


Block a message by an operation 
code and subscriber’s real 
location 


SST attacks and vulnerabilities 


IMSI disclosure via a malformed Application Context Name (ACN) parameter 


Location tracking via Operation Code Tag substitution 


G= Voice call interception (MiTM) via a Double MAP vulnerability 


IMSI disclosure 


TCAP Message Type — mandatory 
Transaction IDs — mandatory 
Dialogue Portion — optional 


Component Portion — optional 


Protocol Info 

GSM MAP invoke sendRoutingInfoForSM 

GSM MAP returnResultLast sendRoutingInfoForSM 
< 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 


[Transaction Id: 881281] 
oid: 8.8.17.773.1.1.1 (id-as-dialogue 
4 dialogueRequest 
application-context-name: 0.4.0.0.1.0.20.3 (shortMsgGatewayContext-v3) 
components: 1 item 
4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 
invokeID: 1 
4 opCode: localValue (8) 
localValue: sendRoutingInfoForSM (45) 
msisdn: AMENO» 1 +2 
sm-RP-PRI: True 
serviceCentreAddress: 


N secreta 
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Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
4 begin 
[Transaction Id: 00003338] 
Source Transaction ID 
oid: @.@.17.773.1.1.1 (id-as-dialogue) 
4 dialogueRequest 
Padding: 7 
protocol-version: 80 (versionl) 


1 item 


components: 


CCITT 
Identified Organization 
ETSI 

Mobile Domain 

GSM/UMTS Network 
Application Context ID 
ShortMsgGateway 
Version 3 


CCITT 

Identified Organization 
Unknown 

Mobile Domain 

GSM/UMTS Network 
Application Context ID 
ShortMsgGateway 
Version 3 


N 
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1. SRI4SM Request: MSISDN STP 1. SRI4SM Request: MSISDN 
Malformed ACN Malformed ACN 


Protocol Info 
GSM MAP invoke sendRoutingInfoForSM 


< 


Signalling Connection Control Part 
4 Transaction Capabilities Application Part 

4 begin 
[Transaction Id: 00003101] 
Source Transaction ID 
oid: 0.0.17.773.1.1.1 (id-as-dialogue) 
dialogueRequest 

Padding: 7 


> protocol-version: 80 (versionl) 
application-context-name: 0.4.4.0.1.0.20.3 (itu-t.4.4.0.1.0.20.3) Malformed ACN 


— 
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IMSI disclosure via malformed ACN 


1. SRI4SM Request: MSISDN STP 1. SRI4SM Request: MSISDN 
Malformed ACN Malformed ACN 


Protocol Info 
GSM MAP 
GSM MAP 
< 


invoke sendRoutingInfoForSM ; 
returnResultLast sendRoutingInfoForSM 


> Signalling Connection Control Part 
Transaction Capabilities Application Part 
4 GSM Mobile Application 


4 Component: returnResultLast (2) 
4 returnResultLast 
invokeID: 1 


4 resultretres 
opCode: localValue (@) 
IMSI A Oo 1 11 
locationInfoWithLMSI 


SMS Router bypassed 


IMSI disclosure via malformed ACN 


1. SRI4SM Request: MSISDN STP 1. SRI4SM Request: MSISDN 
Malformed ACN Malformed ACN 


Protocol Info 
GSM MAP invoke sendRoutingInfoForSM 


GSM MAP returnResultLast sendRoutingInfoForSM : : Equal IMSIs mean the 
GSM MAP invoke sendRoutingInfoForSM è : E È 
GSM MAP returnResultLast sendRoutingInfoForSM ME SMS Home Routing 
= E solution is absent or not 
Signalling Connection Control Part . 
Transaction Capabilities Application Part involved. 


4 GSM Mobile Application 
4 Component: returnResultLast (2) 


4 returnResultLast 
invokeID: 1 


4 resultretres 
opCode: localValue (Ø) 
IMSI: Moo 111 
locationInfoWithLMSI 


Location trackinc 


Numbering plans 


Mobile 
Network 
Operator 


E.164 MSISDN and GT 1231237 


Country Code (China) Network Destination Code 


E 212 IMSI 4564567894 


Mobile Country Code (China) Mobile Network Code 


1 GSM MAP invoke[providesubscriberinfo ] TI Operation code 


4 Calling Party Digits: 4% 
Called or Calling GT Digs 


> Transaction Capabilities Application Part 
4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 
invokeID: 1 
4 opCode: localValue (8 
localValue:| provideSubscriberInfo (76 
4 IMSI: 460804 
Mobile Country Code (mcc) [China (460) | 
Mobile Network Code (MNC): Unknown (804) 
requestedInfo 


Source address 


Subscriber identity 


Block a message by an operation 
code and correlation of a source 
address and subscriber identity 


Switzerland # China 


ITU-T Q.773 Recommendation 


ITU-T Q.773 — Transaction capabilities formats and encoding 


Table 22/Q.773 — Coding of Operation Code Tag 


Global Operation Code Ta g 


Protocol Info 


1 GSM MAP invoke provideSubscriberInfo 
2 GSM MAP SACK returnResultLast provideSubscriberInfo 


Signalling Connection Control Part 
Transaction Capabilities Application Part 
4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 
invokeID: 1 


opCode: localValue (0)) | 


localValue: provideSubscriberInfo (70) 


0020 01 00 1c 03 6c 1d a1 1b E 01 01 [LINE] 30 13 
o Mito a2 07 80 00 81 00 


Location tracking via Global OpCode 


I 
1 cm — - ST H MSC AAN 
12. PSI with | The SS7 FW is looking 
Signalling Connection Control Part cer tag | for a Local OpCode. 
Transaction Capabilities Application Part I Global OpCodes are 
I 


ignored. 


invokeID: 1 


lopCode: globalValue (1) 0000 


globalValue: 1.30 (iso.30) 


00a0 01 00 1c 03 6c 1d al 1b 02 01 a (PAS 30 13 
2000 80 08 Å k a2 07 80 00 81 00 


Location tracking via Global OpCode 


a requested cell 
identity. 


4 GSM Mobile Application I 
4 Component: returnResultLast (2) 4 
4 returnResultLast 
invokeID: 1 
4 resultretres 
[opCode: localValue (Ø) | 
localValue: provideSubscriberInfo (70) 
4 subscriberInfo 
4 locationInformation 
ageOfLocationInformation: 240 
geographicalInformation: 


No. Protocol Info STP 4 MSC/VLR 
1 GSM MAP invoke I I : 
2 GSM MAP SACK returnResultLast provideSubscriberInfo 12. PSI with - The VLR replies with 
I 
: — = Global | the Local OpCode and 

Transaction Capabilities Application Part OpCode tag! 
I 
I 
I 


Equipment of four vendors 
replies to signaling messages 
with the Global OpCode. 


vlr-number: MAMAS 169 


cellGlobalIdOrServiceAreaIdOrLAI: cellGlo[ 
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Voice call interception (MI TM 


Exploitation of a Double MAP 
vulnerability 


Voice call interception (MiTM 


1. InsertSubscriberData Request: IMSI Tp 1. InsertSubscriberData Request: IMSI MSC/VLR 
Spoofed billing platform address Spoofed billing platform address 


No. Protocol Info 
1 GSM MAP invoke insertSubscriberData 


Signalling Connection Control Part 
Transaction Capabilities Application Part 


4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 
invokeID: 1 
opCode: localValue (Ø) 
IMSI: 17 4534 


vlrCamelSubscriptionInfo 


Voice call interception (MI TM 


1. InsertSubscriberData Request IMSI syp 1. InsertSubscriberData Request: IMSI MSC/VLR 
Spoofed billing platform address Spoofed billing platform address 


1 GSM MAP invoke insertSubscriberData 
2 GSM MAP returnResultLast insertSubscriberData 
End dtid(410001ba) 


Signalling Connection Control Part 
Transaction Capabilities Application Part 
4 GSM Mobile Application 
4 Component: returnResultLast (2) 
4 returnResultLast 
invokeID: 1 
4 resultretres 
opCode: localValue (@) 
Padding: 4 
supportedCamelPhases: c@ (phasel, phase2) 


PT 


Voice call interception (MI TM 


MSC/VLR 
Sila 1. InitialDP: IMSI, A-Num, B-Num 


A at] 


1. InitialDP: IMSI, A-Num, B-Num 


A sat! 


No. Protocol Info 
1 GSM MAP invoke insertSubscriberData 
2 GSM MAP returnResultLast insertSubscriberData 
3 TCAP End dtid(410001ba) 
4 Camel-v2 invoke initialDP 


> Signalling Connection Control Part 
> Transaction Capabilities Application Part 
4 Camel-V2 
4 invoke 
> invokeId: present (Ø) 
> opcode: local (Ø) 
4 InitialDPArg 
serviceKey: 1 
` callingPartyNumber : AMAS 04 
callingPartysCategory: ordinary calling subscriber (10) 
> locationNumber: 


> calledPartyBCDNumber: SENE? 


timeAndTimezone: 


> IMSI: NE 534 | I I I I 


PT 


Voice call interception (MI TM 


MSC/VLR 
Sila 1. InitialDP: IMSI, A-Num, B-Num 


——— ss — — OO e 


2. Connect :PBX-Num 


-—- —- € - 4 - Y 


1. InitialDP: IMSI, A-Num, B-Num 


ball e ka kn len la in a k k ke izo ln k z kr ka lan lz ini! 


2. Connect :PBX-Num 


eee e eee > 


Protocol Info 
1 GSM MAP invoke insertSubscriberData 
2 GSM MAP returnResultLast insertSubscriberData 
3 TCAP End dtid(410001ba) 
4 Camel-v2 invoke initialDP 
5 Camel-v2 invoke connect 


-== = = ma ===> 


> Signalling Connection Control Part 


Transaction Capabilities Application Part 
4 Camel-V2 


4 invoke 
invokeId: present (Ø) 
opcode: local (Ø) 
4 ConnectArg 
4 destinationRoutingAddress: 1 item 


CalledPartyNumber : SN? 50 


MSC/VLR 


Voice call interception (MI TM 


1. InitialDP: IMSI,|A-Num, B-Num | 
nn pi 2. Connect :PBX-Num 
mio 3. IAM! A-Num, B-Num 


MSC/VLR 


oo/ FW against MTM attack 


1. InsertSubscriberData Request: 


IMSI, Spoofed billing platform address 
O | > 


I 
No. Protocol Info _ | 1 2. InsertSubscriberData The SS7 FW correlates the IMSI 
| — 1 GSM MAP invoke[insertSubscriberdata ) `` ! Request: IMSI, Spoofed 
Á and source address and blocks 
4 Calling Party address (11 bytes) I billing platform address | 
Address Indicator Y the InsertSubscriberData 


SubSystem Number: HLR (Home Location Register) (6) 
[Linked to TCAP, TCAP SSN linked to GSM MAP] 
4 Global Title 0x4 (11 bytes) 
Translation Type: 80x80 
0001 .... - Numbering Plan: ISDN/telephony (8x1) 
.. 0001 = Encoding Scheme: BCD, odd number of digits 
.000 0100 = Nature of Address Indicator: International 
Calling Party Digits:|4 
Transaction Capabilities Application Part 
4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 


invokeID: 1 i " 
sà: localValue (8 Switzerland # China 


Message. 


TCAP Message Type — mandatory 


Transaction IDs — mandatory 


Dialogue Portion — optional 


Component Portion — optional 


No. Protocol Info 


1 GSM MAP invoke provideSubscriberInfo 


4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 


invokeID: 1 


4 opCode: localValue (8) 
localValue: provideSubscriberInfo (70) 
4 1151 : Ml 394 
Mobile Country Code (MCC): China (460) 
Mobile Network Code (MNC): Unknown (804) 
requestedInfo 


Double MAP component 


TCAP Message Type — mandatory 


Transaction IDs — mandatory 


Dialogue Portion — optional 


Component Portion — optional 


Component 1 


Component 2 


No. Protocol Info 


1 GSM MAP invoke provideSubscriberInfo 


Transaction Capabilities Application Part 
4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 
invokeID: 1 
4 opCode: localValue (8) 
localValue: provideSub berInfo (78) 
ESET 
Mobile Country Code (MCC): China (468) 
Mobile Network Code (MNC): Unknown (804) 
requestedInfo 
4 GSM Mobile Application 
4 Component: invoke (1) 


4 invoke 
invokeID: 1 


4 opCode: localValue (8) 

localValue: provideSubscriberInfo (70) 
4 IMSI: RA 804 

Mobile Country Code (MCC): 

Mobile Network Code (MNC): 


The SS7 FW checks 
a subscriber's ID in 
the first component 
considering the other 
data as a long 
payload not meant to 
be inspected. 


Double MAP in MITM attack 


TCAP Begin 


InsertSubscriberData REQ No. Protocol Info 
| 1 GSM MAP invoke insertSubscriberData invoke deleteSubscriberData 
DeleteSubscriberData REQ 


MSC/VLR 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
ar - ion anabi i le - i i 
4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 
invokeID: 1 


4 opCode: localValue (@ 
Li tesi 


category: @a 


to the S9 FW for Inspect the first 4 GSM Mobile Application 
Inspection component only >= 4 Component: invoke (1) 


4 invoke 


and forward the — à 
message to the 1ocalValue: [deletesubscriberosta (8) 
network 


Double MAP in MITM attack 


TCAP Begin 


InsertSubscriberData REQ 
DeleteSubscriberData REQ 


No. Protocol Info 


1 GSM MAP invoke insertSubscriberData invoke deleteSubscriberData 
2 GSM MAP returnError 


MSC/VLR 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
4 GSM Mobile Application 
4 Component: returnError (3) 
4 returnError 
invokeID: 1 
errorCode: localValue (Ø) 


TCAP Continue 


Double MAP in MITM attack 


TCAP Begin TCAP Continue 


InsertSubscriberData REQ InsertSubscriberData REQ No. Protocol Info 
1 GSM MAP invoke insertSubscriberData invoke deleteSubscriberData 
x a 2 GSM MAP returnError 
DeleteSubscriberData_REQ InsertSubscriberData_REQ 3 GSM MAP invoke insertSubscriberData invoke insertSubscriberData 


STP MSC/VLR 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
continue 
4 GSM Mobile Application 
4 Component: invoke (1) 
4 invoke 
invokeID: 3 
4 opCode: localValue (Ø) 
localValue: insertSubscriberData (7) 


Inspect the first subscriberStatus: serviceGranted (Ø) 
component only E q 


4 Component: invoke (1) 


and forward the pg na 


invokeID: 4 


TCAP Continue message to the 4 opCode: localValue (Ø) 


localValue: insertSubscriberData (7) 
ReturnError network. ut MN: 


vlrCamelSubscriptionInfo 


Double MAP in MITM attack 


TCAP Begin TCAP Continue 


InsertSubscriberData REQ InsertSubscriberData REQ No. Protocol Info 
1 GSM MAP invoke insertSubscriberData invoke deleteSubscriberData 
x a 2 GSM MAP returnError 
DeleteSubscriberData_REQ InsertSubscriberData_REQ 3 GSM MAP invoke insertSubscriberData invoke insertSubscriberData 


| 4 GSM MAP returnResultLast insertSubscriberData 
STP MSC/VLR 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
continue 
4 GSM Mobile Application 
4 Component: returnResultLast (2) 
4 returnResultlast 
invokeID: 3 
resultretres 


TCAP Continue TCAP Continue 


Double MAP in MITM attack 


TCAP Begin TCAP Continue 


InsertSubscriberData REQ InsertSubscriberData REQ No. Protocol Info 
1 GSM MAP invoke insertSubscriberData invoke deleteSubscriberData 
x a 2 GSM MAP returnError 
DeleteSubscriberData_REQ InsertSubscriberData_REQ 3 GSM MAP invoke insertSubscriberData invoke insertSubscriberData 


4 GSM MAP returnResultLast insertSubscriberData 


STP MSC/VLR | 5 GSM MAP returnResultLast 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
continue 
4 GSM Mobile Application 
4 Component: returnResultLast (2) 
4 returnResultLast 
invokeID: 4 


TCAP Continue TCAP Continue 


TCAP Continue 


ReturnResultLast 


Double MAP in MITM attack 


TCAP Begin TCAP Continue TCAP End 
InsertSubscriberData REQ InsertSubscriberData REQ 


No. Protocol Info 
1 GSM MAP invoke insertSubscriberData invoke deleteSubscriberData 
2 GSM MAP returnError 
3 GSM MAP invoke insertSubscriberData invoke insertSubscriberData 
4 GSM MAP returnResultLast insertSubscriberData 


MSC/VLR 5 GSM MAP returnResultLast 


6 TCAP End dtid(040a169*) 


DeleteSubscriberData REQ InsertSubscriberData REQ 


STP 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
end 


TCAP Continue TCAP Continue 


TCAP Continue 


ReturnResultLast 


Double MAP in MITM attack 


TCAP Begin TCAP Continue TCAP End 
InsertSubscriberData REQ InsertSubscriberData REQ 


No. Protocol Info 
1 GSM MAP invoke insertSubscriberData invoke deleteSubscriberData 
2 GSM MAP returnError 
3 GSM MAP invoke insertSubscriberData invoke insertSubscriberData 
4 GSM MAP returnResultLast insertSubscriberData 


MSC/VLR 5 GSM MAP returnResultLast 


6 TCAP End dtid(040a169*) 


DeleteSubscriberData REQ InsertSubscriberData REQ 


STP 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
end 


TCAP Continue 


ReturnResultLast 


TCAP Continue 


TCAP Continue 


ReturnResultLast 


Double MAP in MITM attack 


TCAP Begin TCAP Continue TCAP End 
InsertSubscriberData REQ InsertSubscriberData REQ 


DeleteSubscriberData REQ InsertSubscriberData REQ 


STP 


MSC/VLR 


TCAP Continue 


TCAP Continue 


ReturnResultLast 


TCAP Continue 


ReturnResultLast 


No. Protocol Info 
1 GSM MAP invoke insertSubscriberData invoke deleteSubscriberData 
2 GSM MAP returnError 

3 GSM MAP invoke insertSubscriberData invoke insertSubscriberData 
4 GSM MAP returnResultLast insertSubscriberData 

5 GSM MAP returnResultLast 

6 TCAP End dtid(040a169*) 

7 Camel-v2 invoke initialDP 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
begin 
4 Camel-V2 
4 invoke 
invokeId: present (Ø) 
opcode: local (Ø) 
4 InitialDPArg 
serviceKey: 1 
callingPartyNumber : MI 993 
callingPartysCategory: operator, language English (2) 
locationNumber: 
bearerCapability: bearerCap (Ø) 
eventTypeBCSM: collectedInfo (2) 


E” UE 


Double MAP in MiTM attack 


TCAP Begin 


TCAP Continue 


Protocol 

GSM MAP 
GSM MAP 
GSM MAP 
GSM MAP 
GSM MAP 


InsertSubscriberData REQ 


InsertSubscriberData REQ 
InsertSubscriberData REQ 


STP 


DeleteSubscriberData REQ 


MSC/VLR 


Info 

invoke insertSubscriberData invoke deleteSubscriberData 
returnError 

invoke insertSubscriberData invoke insertSubscriberData 
returnResultLast insertSubscriberData 

returnResultLast 


TCAP End dtid(040a169*) 
Camel-v2 invoke initialDP 
Camel-v2 invoke connect 


MTP 3 User Adaptation Layer 
Signalling Connection Control Part 
4 Transaction Capabilities Application Part 
end 
4 Camel-V2 
4 invoke 
invokeId: present (Ø) 
opcode: local (8) 
4 ConnectArg 
4 destinationRoutingAddress: 1 item 


CalledPartyNumber: RANE 102 


TCAP Continue 


TCAP Continue 


ReturnResultLast 


TCAP Continue 


ReturnResultLast 


Main issues in SS7 securit 


SS/ architecture flaws 


Configuration mistakes 


ooftware bugs 


Conclusion 


1. Check if your security tools are effective against new vulnerabilities. 


2. Use an intrusion detection solution alone with an SS7 firewall in order to 
detect threats promptly and block a hostile source. 


3. Block TCAP Begin messages with double MAP components. 
We observed only one legal pair: 
BeginSubscriberActivity + ProcessUnstructuredSS-Data. 


4. Configure your STP and SS7 firewall carefully. Do not forget about 
malformed Application Context Name and Global OpCodes. 


Thank you! 


Sergey Puzankov for DEFCON AI 


spuzankov@ptsecurity.com 
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